Webworm: New Burrowing Techniques

    Friday, May 22, 2026 In: Threat Research Print

    Date: 05/22/2026

    Severity: High

    Summary

    Webworm, a China-aligned APT group, has evolved its operations by shifting from traditional malware families toward stealthier custom tools and proxy-based techniques. In 2025, the group introduced new backdoors such as EchoCreep and GraphWorm, which abuse trusted platforms like Discord and Microsoft Graph API for command-and-control communication. The group also stages malware through GitHub repositories, demonstrating an ongoing effort to improve persistence, evade detection, and expand cyberespionage operations into new regions. 

    Indicators of Compromise (IOC) List

    Urls/Domains

    wamanharipethe.s3.ap-south-1.amazonaws.com

    IP Address

    45.77.13.67

    64.176.85.158

    104.243.23.43

    108.61.200.151

    144.168.60.233

    Hash

    f06ad246658c9e002c93f80c835f6a56

    d5cfe44e29e909ba70b06d5e6384987f

    b200335ad665b1852578c0a47f0f1c92

    ce06d071e7e3b47fac26cc2b97059be7

    a1b3581070f4d99c2263b5907f3319e5

    efa6c7cc38e94a1d3e5e6b7f52181de4

    77f1970d620216c5fff4e14a6ccc13fccc267217

    a3c077bdf8898e612ccd65bc82e7960834adb2a9

    cb4e50433336707381429707f59c3cbe8d497d98

    1df40a4a31b30b62ec33dc6fecc2c4408302adc7

    948159a7fc2e688386864bea59fd40dffc4b24d6

    7dcfe9ee25841dfd58d3d6871bf867fe32141dfb

    6eb6a34252195ddc7f5fb94c4fb382dedde227c4dfee4a80e9e0ee6f80c8bcb1

    805ba5f4e218ed897e32bd9d167e5318928ef58405054042779bd6f72df927e2

    24bd6b3e622772dd3a8a6d36847ea034eefb69640dadf3e55cbf4baf1897b767

    97a8e5b2bc51f3b3f7cd2117cf0da8fc49bee2e597ecc04637dcfdccfbf7e8e0

    dc9f0618d996bf6e2fe615cc71d320a9c585839414a78512f54bfdcb8e6705b9

    bd93fd7c18fdb514d451f8faf64a68584e967403ef5f75886ccafbadb203f422

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "wamanharipethe.s3.ap-south-1.amazonaws.com" or url like "wamanharipethe.s3.ap-south-1.amazonaws.com" or siteurl like "wamanharipethe.s3.ap-south-1.amazonaws.com"

    Detection Query 2 :

    dstipaddress IN ("104.243.23.43","108.61.200.151","64.176.85.158","144.168.60.233","45.77.13.67") or srcipaddress IN ("104.243.23.43","108.61.200.151","64.176.85.158","144.168.60.233","45.77.13.67")

    Detection Query 3 :

    md5hash IN ("f06ad246658c9e002c93f80c835f6a56","efa6c7cc38e94a1d3e5e6b7f52181de4","ce06d071e7e3b47fac26cc2b97059be7","d5cfe44e29e909ba70b06d5e6384987f","b200335ad665b1852578c0a47f0f1c92","a1b3581070f4d99c2263b5907f3319e5")

    Detection Query 4 :

    sha1hash IN ("77f1970d620216c5fff4e14a6ccc13fccc267217","7dcfe9ee25841dfd58d3d6871bf867fe32141dfb","1df40a4a31b30b62ec33dc6fecc2c4408302adc7","a3c077bdf8898e612ccd65bc82e7960834adb2a9","cb4e50433336707381429707f59c3cbe8d497d98","948159a7fc2e688386864bea59fd40dffc4b24d6")

    Detection Query 5 :

    sha256hash IN ("97a8e5b2bc51f3b3f7cd2117cf0da8fc49bee2e597ecc04637dcfdccfbf7e8e0","6eb6a34252195ddc7f5fb94c4fb382dedde227c4dfee4a80e9e0ee6f80c8bcb1","bd93fd7c18fdb514d451f8faf64a68584e967403ef5f75886ccafbadb203f422","805ba5f4e218ed897e32bd9d167e5318928ef58405054042779bd6f72df927e2","24bd6b3e622772dd3a8a6d36847ea034eefb69640dadf3e55cbf4baf1897b767","dc9f0618d996bf6e2fe615cc71d320a9c585839414a78512f54bfdcb8e6705b9")

    Reference:    

    https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/#iocs                       


    Tags

    MalwareThreat ActorChinaAPTBackdoorDiscordMicrosoftGitHubCyber Espionage

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.